fix: add uv dependency audit

[qartik]

Summary

• replace the pip-audit dependency with native uv audit --locked
• run the dependency audit before uv sync in CI so vulnerable locked packages stop the job before installation
• add uv's exclude-newer = "7 days" cooldown to reduce exposure to newly uploaded compromised packages
• update README and agent guidance to use uv audit

Fixes #88

Validation

• make audit
• uv run pytest
• uv run ruff format --check .
• uv run ruff check .
• uv run ty check src tests
• SKIP=no-commit-to-branch uv run prek run --all-files

[Copilot]

Pull request overview

This PR updates the template’s dependency vulnerability scanning to use uv audit --locked (instead of pip-audit), integrates it into CI before dependency installation, and adds a 7-day exclude-newer “cooldown” to reduce exposure to newly uploaded packages during resolution.

Changes:

• Replaced the pip-audit dev dependency and make audit implementation with uv audit --locked.
• Added a CI step to run the audit before uv sync so known vulnerabilities fail the job early.
• Configured uv with exclude-newer = "7 days" and updated template documentation/guidance accordingly.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
uv.lock	Removes pip-audit and its transitive dependencies; records exclude-newer lock options; bumps some dev tool versions.
pyproject.toml	Drops the audit dependency group; adds [tool.uv] exclude-newer = "7 days".
Makefile	Updates audit target to run uv audit --locked.
.github/workflows/python-app.yml	Runs make audit before installing dependencies in CI.
README.md	Updates docs to reference uv audit --locked and explains the cooldown behavior.
AGENTS.md	Updates agent guidance to use uv audit/uv audit --locked.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[NathanCQC]

Thank you for doing this.